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4  March  1983 

ABSTRACT 

The  structure  of  divide  and  conquer  algorithms  is 
represented  by  program  schemes  \^ich  provide  a  kind  of 
normal-form  for  expressing  these  algorithms.  A  theorem  relat- 
ing the  correctness  of  a  divide  and  conquer  algorithm  to  the 
correctness  of  its  subalgorithms  is  given.  Several  strategies 
for  designing  divide  and  conquer  algorithms  arise  from  this 
theorem  and  we  use  them  to  formally  derive  algorithms  for 
sorting  a  list  of  numbers,  evaluating  a  propositional  formula, 
and  forming  the  cartesian  product  of  two  sets. 

0.  Introduction 

The  advance  of  scientific  knowledge  often  involves  the  grouping  together  of 
similar  objects  followed  by  the  abstraction  and  representation  of  their  common 
structural  and  functional  features.  Generic  properties  of  the  objects  in  the 
class  are  then  studied  by  reasoning  about  this  abstract  characterization.  The 
resulting  theory  may  suggest  strategies  for  designing  objects  in  the  class  'which 
have  given  characteristics.  This  paper  reports  on  one  such  investigation  into  a 
class  of  related  algorithms  called  "divide  and  conquer".  We  seek  not  only  to 
gain  a  deeper  and  clearer  understanding  of  the  algorithms  in  this  class,  but  to 
formulate  this  knowledge  for  the  purposes  of  algorithm  design.  The  essential 
structure  of  divide  and  conquer  algorithms  is  expressed  by  a  class  of  program 
schemes.  We  present  a  fundamental  theorem  relating  the  correctness  of  an 
instance  of  one  of  these  schemes  to  the  correctness  of  its  parts.  This  theorem 
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provides  a  basis  for  designing  divide  and  conquer  algorithms  in  a  formal  way. 

The  principle  underlying  divide  and  conquer  algorithms  can  be  simply 
stated:  if  the  problem  posed  by  a  given  input  is  sufficiently  simple  we  solve  it 
directly,  otherwise  we  decompose  it  into  independent  subproblems,  solve  the  sub- 
problems,  then  compose  the  resulting  solutions.  The  process  of  decomposing  the 
input  problem  and  solving  the  subproblems  gives  rise  to  the  term  "divide  and 
conquer"  although  "decompose,  solve,  and  compose"  would  be  more  accurate. 

We  chose  to  explore  the  synthesis  of  divide  and  conquer  algorithms  for 
several   reasons: 

Structural  Simplicity  -  Divide  and  conquer  is  perhaps  the  simplest  program 
structuring  technique  which  does  not  appear  as  an  explicit  control  structure  in 
current  programming  languages.  Our  description  of  the  structure  of  divide  and 
conquer  algorithms  is  based  on  a  view  of  them  as  computational  homomorphisms 
between  algebras  on  their  input  and  output  domains.  Careful  choice  of  program- 
ming language  constructs  allows  us  to  express  divide  and  conquer  algorithms  con- 
cisely and  in  accord  with  their  essential  structure  as  homomorphisms. 

Computational  Efficiency  -  Often  algorithms  of  asymptotically  optimal  complexity 
arise  fran  the  application  of  the  divide  and  conquer  principle  to  a  problem. 
Fast  approximate  algorithms  for  NP-hard  problems  frequently  are  based  on  the 
divide  and  conquer  principle. 

Diversity  of  Applications  -  Divide  and  conquer  algorithms  are  common  in  program- 
ming, especially  when  processing  structured  data  objects  such  as  arrays,  lists, 
and  trees.  Many  examples  of  divide  and  conquer  algorithms  may  be  found  in  texts 
on  algorithm  design  (e.g.  [1,11]).  Bentley  [3]  presents  numerous  applications 
of  the  divide  and  conquer  principle  to  problems  involving  sets  of  objects  in 
multidimensional  space. 

One  of  our  goals  is  help  formalize  the  process  of  designing  algorithms  to 
meet  given  specifications.  Our  approach  in  this  paper  is  based  on  instantiating 
program  schemes  to  obtain  concrete  programs  satisfying  a  given  specification. 
Related  work  on  programming  by  instantiating  program  schemes  is  reported  in 
[4,5,7,8,15].  Aside  from  the  fact  that  we  are  concerned  here  with  only  one 
class  of  algorithms,  our  approach  differs  from  these  others  mostly  in  focusing 
on  formal  techniques  for  deriving  specifications  for  the  uninterpreted  operators 
in  a  program  scheme. 
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In  Section  1  we  seek  to  acquaint  the  reader  with  some  examples  of  divide 
and  conquer  algorithms.  Algebraic  notation  introduced  in  Section  2  is  used  to 
present  schemes  in  Section  3  characterizing  the  class  of  divide  and  conquer 
algorithms.  The  main  result  of  this  paper  is  a  theorem  showing  how  the  correct- 
ness of  a  divide  and  conquer  algorithm  follows  from  its  form  and  the  correctness 
of  its  parts.  In  Section  4  we  discuss  the  top-down  design  of  divide  and  conquer 
algorithms  and  proceed  with  the  derivation  of  a  selection  sort  algorithm.  In 
Section  5  we  derive  algorithms  for  a  few  more  problems  including  the  evaluation 
of  Boolean  expression  and  finding   the  cartesian  product  of  two  sets. 

1.     Examples  of  Divide  and  Conquer  Algorithms 

Applications  of  the  divide  and  conquer  principle  are  most  naturally 
expressed  by  recursive  programs.  In  Figure  1  we  present  a  selection  sort  pro- 
gram expressed  in  an  ad-hoc  functional  programming  language  (based  on  Backus1  FP 
systems    [2])    which  we  now  summarize. 

We  use  three  data  types:   B    (Boolean  values  TRUE  and     FALSE),     IN      (natural 

numbers     0,1,2, ...     ),     and  LIST  (IN)    (linear  lists  of  natural  numbers  e.g.,  nil, 

(3),    (5,2,2,7)    ).     Any  element  of   these     types     is     called     an     object,     and     if 

Xi,...,x       for  n>_0  are  data  objects  then  the  n-tuple  <x-,,...,x  >   is  also  a  data 

object.     The  selector  functions  1,  2,...   return  the  first,  second,...       elements 

of  a   tuple   respectively.     For  example,  1:<3,4>=  3,   2:<3,4>=  4. 

In  a  functional  programming  language  programs  are  viewed  as  a  hierarchy  of 
functions.  All  functions  map  a  data  object  to  a  data  object.  We  use  the  nota- 
tion f:x  to  denote  the  result  of  applying  the  function  (program)  f  to  data 
object  x.  If  a  function  requires  n  arguments  for  some  n>l,  then  it  is  applied 
to  an  n-tuple  of  objects.  For  the  natural  numbers  we  have  the  usual  addition 
function,  denoted  +,  and  the  comparison  operators  <,<,  =  ,  ^  ,  >  ,>.  In  deference 
to  convention  we  allow  infix  notation  for  the  arithmetic  functions  and  rela- 
tional operators,  thus  we  equivalently  write  "3+5"  and  "+:<3,5>".  On  the  data 
type  LIST(IN)  we  use  the  following  functions:  Nil,  which  returns  the  empty  list 
(denoted  nil);  List,  which  maps  a  natural  number  into  the  list  containing  it; 
First,  which  returns  the  first  element  in  a  list;  Rest,  which  returns  its  input 
list  minus  the  first  element;  Cons,  'which  adds  a  number  to  the  front  of  a  list 
(e.g.  Cons:<2,  (5,4)  >=  (2,5,4)  );  snoC,  (the  inverse  of  Cons)  which  returns  a  2- 
tuple  containing  the  first  element  and  the  rest  of  the  input  list  (e.g. 
snoC: (2,5,4)  =  <2,  (5,4)>);  and  Length,  which  returns  the  length  of  a  list.  On 
all   types  we  use  Id  as  the   identity  function. 
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Ssort:xQ  ■    if 

x0  =  nil    ->    Xq  Q 

x0^nil    -»    Cons*  (Id X  Ssort) -Select :xq 
fi 

Select  :x   =    if 

Rest:x=nil    -»    snoC:x  Q 

Rest:x^nil    -»    Compose*  (Id X  Select)  *snoC:x 

fi 

Compose :<v^,<v2/Z»   ■    if 

vl  — v2    ~*    <v]/Cons:<v2'z>>   0 
vl  — v2    "^    <v2/Cons:<v,  ,z>> 
fi 

Figure  1:     A  Selection  Sort  Program 


Functions  are  combined  to  yield  new  functions  via  the  following  combining 
forms.  f*g,  called  the  composition  of  f  and  g,  denotes  the  function  resulting 
from  applying  f  to  the  result  of  applying  g   to   its  argument. 

For  example:     Length'Ftest:  (1, 3, 5)    =  Length:  (Rest:  (1,3,  5) ) 

=  Length:  (3,5) 
=  2 

fXg#  called  the  product  of  f  and  g,  is  defined  by 

f  X  g:<x,y>  =<f  :x,g:y>. 
For  example:    IdX  Length:<3,  (1,3,5,7)  >=  <3,4>. 

If  q^/...^  are  boolean  functions  or  constants  and   f ,,..., f     are     functions     or 
data  objects  then 

if  q±   -»    fx  0  ...  0  %   -»    fn  fi 

is  a  nondeterministic  conditional   form.      During  evaluation  each  of     the     boolean 
f  met  ions,  called  guards,  are  evaluated.     If  any  of   the  quards  are  undefined,  or 

-4- 


if  none  of  the  quards  evaluate  to  TRUE,  then  the  value  of  the  form  is  undefined. 
Otherwise  one  of  the  guards,  say  q^,  vhich  evaluates  to  TRUE  is  nondeterministi- 
cally  selected  and   the  form  evaluates  to   f^:x.     For  example, 

if£    ->   i   0    >    -»    2  fi 

is  a  simple  if-fi  form  mapping  ]N  X  IN  into  IN  and  computing  the  minimum  of  two 
natural  numbers.  On  application  to  <2,3>  the  guard  "  <  "  evaluates  to  TRUE  thus 
the  form  evaluates  to  1:<2,3>=  2.  Note  that  on  application  to  <3,3>  both  guards 
evaluate  to  TRUE  thus  either  branch  of  the  conditional  can  be  taken.  Although 
either  branch  can  be  taken  the  result  is  the  same  for  this  function. 

We  name  functions  by  means  of  definitions.  For  example  ws  can  name  the 
above   if-fi   form  Min  by  means  of  the  following  definition 

Min  =if<_    4   1   0    >    "*2fi* 

For  readability  in  definitions  we  allow  the  naming  of  arguments,  replace  selec- 
tor finction  applications  by  the  name  of  their  result,  and  pretty  print,  so  Min 
can  be  defined  by 

Min:<x,y>  =    if 

x£y    -»    x  Q 

x^y    ->    y 
fi. 

Tne  selection  sort  algorithm  in  Figure  1  works  as  follows.  If  the  input  is 
nil  then  nil  is  output.  If  the  input  is  non-nil  then  a  smallest  element  is 
split  off  and  then  prepended  onto  the  result  of  recursively  sorting  the 
remainder  of  the  input.  Tne  function  Select  evaluates  as  follows  on  the  list 
(2,5,1,4) 

Select:  (2,5,1,4)    =  Compose- (IdX  Select) 'snoC:  (2,5,1,4) 
=  Compose'  (IdX  Select)  :<2,  (5,1,4)> 
=  Compose: <2,<1,  (5,4)>> 
=  <l,Cons:<2,  (5,4)» 
=  <1,(2,5,4)> 

vvhere  Select:  (5,1,4)  evaluates  to  <1,(5,4)>  in  a  similar  manner.  Ssort  vvhen 
applied   to    (2,5,1,4)    evaluates  as   follows 
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Ssort:  (2,5,1,4)    =  Cons*  (MX  Ssort)  -Select:  (2,5,1,4) 
=  Cons- (MX  Ssort)  :<1,  (2,5,4) > 
=  ConsKl,  (2,4, 5)> 
=   (1,2,4,5) 

where  Ssort:  (2,5,4)   evaluates  to    (2,4,5)   in  a  similar  manner. 

Ssort  and  Select  exemplify  the  structure  of  divide  and  conquer  algorithms. 
In  Ssort  when  the  input  is  nil  then  the  problem  is  solved  directly,  otherwise 
the  input  problem  is  decomposed  via  Select,  the  subproblems  solved  via  the  pro- 
duct MX  Ssort,  and  the  results  composed  by  Cons.  In  Select  when  the  input  has 
length  one  then  the  problem  is  solved  directly,  otherwise  the  input  is  decom- 
posed via  snoC  into  a  tuple  of  subinputs,  the  subinputs  processed  in  parallel  by 
MX  Select,  and  the  results  composed  by  Compose.  We  call  Select  in  Ssort  and 
snoC  in  Select  the  decomposition  operators.  Cons  in  Ssort  and  Compose  in  Select 
are  called  composition  operators.  The  identity  function,  Id,  in  both  Ssort  and 
Select  is  called  an  auxiliary  operator. 

Why  introduce  new  language  features  here?  We  feel  that  the  importance  of 
divide  and  conquer  algorithms  is  justification  enough  to  require  that  a  program- 
ming language  allow  their  concise  expression.  We  have  introduced  those  linguis- 
tic features  which  allow  divide  and  conquer  programs  to  clearly  reflect  their 
essential  structure.  For  example,  the  construction  of  decomposition  operators 
is  facilitated  by  allowing  functions  to  return  a  tuple  of  objects.  The  product 
form  allows  us  to  directly  express  parallel  processing  of  independent  subprob- 
lems. In  conditionals  we  are  not  forced  to  determine  the  order  in  which  the 
guards  are  to  be  evaluated  -  they  are  conceptually  evaluated  in  parallel.  In 
addition,  the  language  simplifies  reasoning  about  and  designing  divide  and  con- 
quer algorithms. 

2.     Algebraic  Concepts 

2.1  Program  Termination 

In  designing  divide  and  conquer  algorithms  we  shall  be  concerned  with 
ensuring  that  they  terminate  on  all  legal  inputs.  The  usual  method  for  showing 
the  termination  of  a  recursive  program  depends  on  the  existence  of  a  well- 
founded  ordering  on  the   input  domain. 

A  structure  <W,^>  where  W  is  a  set  and  ^  is  a  binary  relation  on  W  is  a 
well-founded  set  and   ^   is  a  well-founded  ordering  on  W  if: 
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1)  y   is  irreflexive:   ujLu  for  all  u6w 

2)  ^»   is  assymetric:   if  u}»v  then  vJ«u  for  all  u,v€w 

3)  y   is  transitive:   if  u^.v  and  v^w  then  u^w  for  all  u,v,w€W 

4)  there  is  no  infinite  descending  sequence  u«^   u-^u^V"*   i°  w- 

For  example,   IN    (natural  numbers)   with  the  usual  greater  tha     relation     >     forms 
the  well-founded  set  <IN,». 

A  recursive  program  P  with  input  domain  D  can  be  shown  to  terminate  on  all 
inputs  in  the  following  way.  First,  a  well-founded  ordering  }•  is  constructed 
on  D.  Then,  we  show  that  for  any  x€D  P  applied  to  x  only  generates  recursive 
applications  (calls)  to  inputs  x'  for  >hich  x^x'.  'Ihere  can  be  no  infinite 
sequence  xn,x^/X2  ...  such  that  applying  P  to  xj  results  in  the  application  of 
P     to     *i  +  i     for     i>_0     since     the     well-founded  ordering  does  not  allow  xq)»x-^ 

^  X  o^  »  «  •     . 

Proposition  1.     Let  E  be  a  set,  let  <W,^»W>  be  a  well-founded  set,  and  let 
h:E   ->    W  be  a  function  from  E  into  W.     The  relation  VE  defined  by: 

uJ-Eu'    iff  h(u)>.wh(u') 

is  a  well-founded  ordering  on  E. 

Proof:     1)    ^E  is  irreflexive  -  for  any  u,  h:uj|»^i:u,     but     then     by    definition 
uJ(.Eu. 

2)  }•£  is  assymetric  -  if  u^fru1  then  h(u))»wh(u')  and  h(u')  JUW  h(u) 
(by  assymetry  of    ^w)    thus  u1  jU^^u. 

3)  }»g  is  transitive  -  if  u^»Eu'  and  u'^.Eu"  then  hCuJJ-^h^')  and 
h(u')  ^h(u")  .  h(u)^wh(u")  follows  by  transitivity  of  )»w,  then  u^»Eu"  follows 
by  definition  of   ^E. 

4)  <E,^»E>  has  no  infinite  decreasing  sequence  -  if  Ug^E  u^E  U2^E 
...  then  h(uQ)^w  h(u^)^w  h^)^  ...  contradicting  the  well-foundedness  of 
<W,>-W>.     QED 

Proposition  1  enables  us  to  establish  a  well-founded  ordering  on  LIST(IN) 
(list  of  natural  numbers)  by  simply  finding  a  function  from  LIST  (IN)  to  IN .  A 
suitable  primitive  function  is  Length,   so  we  may  define 

x^y   iff  Length:x  >   Length:y 
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for  all  xfy€LIST(]N).  By  Proposition  1  we  conclude  that  <LIST(]N)  ,^  >  is  a 
well-founded  set. 

2. 2  Many-Sorted  Algebras 

Algebraic  concepts  are  playing  an  increasingly  important  role  in  formulat- 
ing the  fundamental  notions  of  computer  science.  In  this  paper  we  show  that 
divide  and  conquer  algorithms  can  be  usefully  characterized  algebraicly  as 
homomorphisms  between  appropriately  defined  algebras  on  the  input  and  output 
domains.  In  this  section  we  present  the  basic  terminology  of  many-sorted  alge- 
bras based  on  and  extending  the  notation  of  AEJ   [9,10], 

For  any  n€  IN  let  n=  {1,2, ...,n}.  As  usual  the  cartesian  product  of  sets 
A1#  A2,...,  A-.  is  written  A1XA2X  ...  X^  and  denotes  {<a1,a2/...  ,an>  I  a^Aj 
for  i€n_}.     Parentheses  are  used  for  nesting  so 

A1X(A2XA3)=  {<a1,<a2,a3»   I  a1«A1,  a2€A2,  a36A3} 

the  set  of  2-tuples  v»hose  first  component  belongs  to  A^,  and  whose  second  com- 
ponent belongs  to  A2XA^. 

Generally,  we  use  the  term  many-sorted  algebra  to  denote  a  collection  of 
sets  equipped  with  operators  defined  on  cartesian  products  of  the  sets.  Let  S 
denote  a  nonempty  set  of  symbols  called  sorts  and  sCS  be  a  distinguished  sort 
called  the  principal  sort.  A  finite  s-oriented  S-sorted  signature  2  is  a  finite 
set  of  operator  symbols  {o~l, ...  ,o~r},  r^>l,  where  for  l<.i<.r,  0"i  has  type  <wi,s> 
where    wi€S     and  wi =  wi^...win> ,  n-  >_0.     Let  <A  >  m  s  be  an  S-indexed   family  of 

sets.       If    w€S       and     w=w-jW2...wn     then    Aw    denotes     the     cartesian     product 

Aw   XA,.   X...XA,.  .       Letting     X     denote     the  empty  string,  A*1  denotes  the  set 
wl       "2  wn 

consisting  of  the  0-tuple,  {<>}.  A^-algebra  A  consists  of  a  family  of  sets 
<As>s6S  caHed  £he  carriers  of  A,  and  a  set  of  operators  denoted  o"iA  i=l,...,r, 
where  o"iA:Awl    ->    A  •     A^  will  be  called  the     principal     carrier     of     A.       A    5- 

algebra  A  will  be  written  A  =  <{C1#...  rCk),  {fl,  ...,fr}>  where  C1,...,C(<  are  the 
carriers  of  A  and  fl,...,fr  are  its  operators.  A  ^-algebra  will  be  called  a 
composition  algebra. 

We  shall  be  interested  in  composition  algebras  vhich  1)  allow  each  element 
of  the  principal  carrier  to  be  expressed  as  a  composition  of  other  elements,  and 
2)  compose  smaller  elements  into  larger  elements.  For  example,  on  the  domain 
LIST  (IN)   consider  the  operators 

Nil:    -»  LIST  (IN)  (e.g.,  Nil:<>  =  nil) 
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List:3N  -»  LIST  (IN) 


(e.g.,   List: 3  =   (3)    ) 


Cons :  IN  X  LIST  (IN)  ->  LIST  (IN)  (e.g.,   Cbns:<3,  (1,4)>  =    (3,1,4)    ). 

Every  list  of  natural  numbers  can  be  expressed  as  either  a  composition  by  Cons 
(Cons:<i,y>  for  some  i€3N  and  y€LIST(IN))  or  by  Nil,   thus 

<  {LISTEN),  IN},    {Cons,Nil}> 

is  a  composition  algebra  for  LIST  (IN).  For  the  domain  LIST  (IN) -nil,  the  opera- 
tors Cons  and  List  allow  expression  of  each  non-nil  list  as  a  composition  by 
Cons  (Cons:<i,y>  for  some  i€lN  and  y€  LIST  (IN)  -nil)  or  by  List  (List:i  for  some 
i  €  IN  ) ,  thus 

<{LIST(]N)-nil,IN},    {Cons,List}> 

is  a  composition  algebra  for  LIST  (IN) -nil. 

Let  A  and  B  be  5-algebras  and  let  H=<hs>s^s  be     an     S-indexed     family    of 

functions     where  for  each  s€S,   h   :AS    -»    Bs.     If  w  =  w^W2...wn  let  hw  denote   the 

product  function  h^  Xh      X--.X    K,  .     Thus   if  a€Aw  then 

12  n 


hw:a  =  <hWi:a1,  \^2,   ...,  \-an>' 


h^  denotes     the     unique     function     mapping     A^     to     B^» 


also     written     Id 


<>• 


H=<hs>s«s     is    a      (£^-)homomorphism  from  A  to  B  if  for  each  operator  symbol  o"i 
and  a€Awl 


h  *cri&:a    =   o-R»hw" 


i.e.   the  diagram  in  Figure  2  commutes. 


SB 


Figure  2:   Commutative  Diagram  of  a  ^-homomorphism. 
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A  ^"1-algebra  A  is  a  family  of  sets  <Ag>s€s  and  operators  criA:  Ag  ->  A 
for  each  l£i£r.  A  ^  "  1-algebra  will  be  called  a  decomposition  algebra.  We 
shall  be  interested  in  decomposition  algebras  which  1)  allow  each  element  of  the 
principal  carrier  to  be  decomposed  into  other  elements,  and  2)  decompose  larger 
elements  into  smaller  elements.  For  example,  on  the  domain  LIST(U)  we  can 
define  operators  v^ich  are  the  inverses  of  the  composition  operators  considered 
above. 

liN:LIST(IN)  ->  (e.g.   liNtnil   =  O    ) 


tsiL:LIST(3N)  -»  3N 


(e.g.    tsiL:  (3)    =   3  ) 


snoC:LIST(IN)  ->  IN  X  LIST  (IN)  (e.g.   snoC:  (3,1,4)    =  <3,(1,4)>   ) 

Every  list  of  natural  numbers  can  be  decomposed  either  by  snoC  or  liN,   thus 

<{LIST(IN)  ,3N},    {snoC,liN}> 

is  a  decomposition  algebra  for  LIST  (IN).  Ebr  the  domain  LIST  (IN ) -nil,  the 
operators  snoC  and  tsiL  allow  the  decomposition  of  each  non-nil  list  into  non- 
nil   lists  and  natural  numbers,   thus 

<{ LIST (IN) -nil, IN},    {snoC,tsiL}> 

is  a  decomposition  algebra   for  LIST  (IN). 

Let  A  be  a  2  ~  1  -algebra,  B  a  ^-algebra,  and  let  H=<hs>sgs  be  an  S-indexed 
family  of  functions  such  that  for  each  s6s  hs:As-»Bs.  H  is  a  (2  2)- 
homomorphism  from  A  to  B  if  for  each  x€A     such  that  0"A:x   is  defined 


h    :x     =    On'h    'OVCX 


w. 


(2.1) 


i.e.,   the  diagram  in  Figure  3  commutes.        For     example,      let     S=  {c,s}     and     let 


Figure  3:   Commutative  Diagram  of  a  2  ~   2-h°momorphism. 
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£=  fcrl,<T2}   be  a  S-sorted  signature  where  o~l  has  type     <X,§>     and    <t2     has     type 
<c§,§>.     Consider  LS  and  LC  which  are  2         and  ^-algebras  respectively  where: 

LS  =  <{UrLIST(H)},    {liN,Select}> 

LC  =  <{IN,LIST(IN)},    {Nil, Cons} >. 

LS  has  carriers  LSC=IN  and  LS    =  LIST  (IN)   and  operators 
Select:    LIST(M)     -»    IN  X  LIST  (IN)   and 

HN:LIST(3N)     -»     {<>}. 

Select  splits  a  list  of  natural  numbers  into   its  least  element  and  the     rest     of 

the     list     as     discussed  earlier.     LC  has  carriers  LC   =  IN  and  LC    =LIST(IN)   and 

c  § 

operators 

Cons:    IN  X  LIST  (IN)     ->    LIST  (IN)   and 

Nil:{<>}    ->    LIST  (IN). 

Letting  h     be  the  function  Sort,  which  sorts  a  list  of  numbers,  and  h     the  iden- 
s 

tity  function  Id,  we  have  a  natural  homomorphism  from  LS  to  LC.  First,  Sort  and 
Id  have  the  required  domains  and  codomains: 

Id:IN-»IN  (hc:LSc-»  LCC) 

Sort:LIST(IN)     -»    LIST  (IN)  (h    :LS      -»    LC   ) 

§       §  § 

and  the  homomorphism  condition  (2.1)  is  satisfied:  for  any  x€  LIST  (IN)  such  that 
liN:x  is  defined    (i.e.  x=nil) 

Sort:x  =  Nil*Id<:>'liN:x  (h    :x  =o-lLC'h*,*o\LLS:x) 

and   for  any  xSLIST(IN)    such   that  Select :x   is  defined    (i.e.  x^nil) 

So rt:x  =  Cons*  (Id X  Sort)  "Select :x.  (h    :x  =  a2LC«hc5*o-2LS:x) 

This  homomorphism,  of  course,  is  the  essence  of  a  selection  sort  algorithm. 
When  the  input  x  is  nil  we  can  sort  directly,  otherwise  we  decompose  x  into  a 
number  i  and  a  list  y,   sort  y,   then  Cons  i  onto  the  result. 
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3.     Divide  and  Conquer  Algorithms:  Form  and  Function 

In  this  section  we  present  notation  expressing  the  form  (via  program 
schemes)  and  function  (via  specifications)  of  divide  and  conquer  algorithms.  We 
also  present  a  fundamental  theorem  showing  how  the  functionality  of  a  divide  and 
conquer  program  follows  from  its  form  and  the  functionalities  of  its  parts. 
First  we  consider  the  expression  of  functionality. 

3.1  Specifications 

Specifications  are  a  precise  notation  for  describing  the  problem  (or  func- 
tion) we  desire  to  solve  without  necessarily  indicating  how  to  solve  (or  com- 
pute) it.  For  example,  the  problem  of  decomposing  a  list  of  natural  numbers 
into  its  smallest  element  and  the  remainder  of  the  list  may  be  specified  as  fol- 
lows. 

Select:x=  <i,z>  such  that  x/ nil   =»    i£Bag:z  A  Bag:x  =  Add:<i /Bag:z> 
where  Select:    LIST  (IN)     -»    IN  X  LIST  (U). 

The  problem  is  named  Select  which  is  a  function  from  lists  of  natural  numbers  to 
2-tuples  consisting  of  a  natural  number  and  a  list.  Naming  the  input  x  and  the 
output  <i,z>,  the  formula  "x^nil",  called  the  input  condition,  expresses  any 
restrictions  on  the  inputs  we  can  expect  to  the  problem.  The  formula  "i£Bag:z 
A  Bag:x  =  Add:<i,Bag:z>",  called  the  output  condition,  expresses  the  conditions 
under  which  <i,z>  is  an  acceptable  output  with  respect  to  input  x.  The  function 
Bag  maps  a  list  into  the  bag  (multiset)  of  elements  contained  in  it  (e.g. 
Bag:  (1,5,2,2)  =  {1,5,2,2}  =  Bag:  (1,2,5,2)  ).  i<_Bag:z  asserts  that  each  element 
in  the  list  z  is  no  less  than  i.  The  function  Add:<i,b>  returns  the  bag  con- 
taining i  in  addition  to  all  elements  of  bag  b.  Bag:x=  Add:<i ,Bag:z>,  asserts 
that  the  multiset  (bag)  of  elements  in  the  input  list  x  is  the  same  as  the  mul- 
tiset of  elements  in  z  with  i  added. 

Generally,  a  specification  TT   has  the  form 

Tf:x=z  such  that  I:x  =3>    0:<x,z> 
where  TT  :  D    ->    R. 

We  ambiguously  use  the  symbol  TT  to  denote  both  the  problem,  its  specification, 
and  a  solution  to  the  problem.  Here  the  input  and  output  domains  are  D  and  R 
respectively.  The  input  condition  I  expresses  any  properties  we  can  expect  of 
inputs  to  the  desired  program.  Inputs  satisfying  the  input  condition  will  be 
called  legal   inputs.     If  an  input  does  not  satisfy  the   input  condition     then     we 
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don't  care  what  output,  if  any,  the  program  produces.  The  output  condition  0 
expresses  the  properties  that  an  output  object  should  satisfy.  Any  output 
object  z  such  that  0:<x,z>  holds  will  be  called  a  feasible  output  with  respect 
to   input  x.     More  formally,  a  specification  IT    is  a  4-tuple  <D,R,I,0>  where 

D  is  a  set  called  the  input  domain, 

R  is  a  set  called  the  output  domain, 

I  is  a  relation  on  D  called  the  input  condition,  and 

0  is  a  relation  on  DXR  called  the  output  condition. 
Program  F  satisfies  specification  TT  =  <D,R,I,0>   if 

Vx€D[I:x  ==>    0:<x,F:x>] 

is  valid  in  a  suitable  first-order  theory,  i.e.,  if  on  each  legal  input  F  com- 
putes a  feasible  output. 

Let  s  be  a  set  of  sorts  with  principal  sort  s.  TT  =  <E,T,J,P>  denotes  an 
S-sorted  family  of  problems  where  E  and  T  are  S-sorted  families  of  sets,  for 
each  s€S  J  is  a  relation  on  E  and  P  is  a  relation  on  EXT.  For  each  s€S 
let  Ts,  called  a  component  problem,  denote  the  problem  specification 
<ES,TS,JS,PS>.     TT  ^  will  be  called  the  principal  problem  and   for  each  s€  S-s  TTS 

will  be  called  an  auxiliary  problem. 

3.2  The  Form  of  Divide  and  Conquer  Algorithms 

Let  S  be  a  sort  set  with  principal  sort  s  and  let  ^  be  a  finite  s-oriented 
S-sorted  signature  where  2=  {o"l,  ...,crr},  r>_l,  and  for  l£i£r,o"i  has  type 
<wi  ,s>  where  wi€  S     and  wi  =  wi]_...win# ,  n^  >_0.     A  2 -divide  and  conquer  algorithm 

has  the  form 

f  :x  ■   if 

s 

q1:x    ->    0-lT*fwl'0-lE:xO 

•       •        • 

qr:x    -»    o~rT»fwr-<TrE:x 
fi. 

where 

1.  E  is  a  2  ~  ''"-algebra 

2.  T  is  a  ^-algebra 

3.  F=<fs>s6s  *s  an  S-indexed  family  of  functions  where  fs:Es~>Tg 
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4.     q_-   for  i€r,   is  a  predicate  on  E  . 
1  ~  s 

The  operators  in  E  and  T  are  called  the  decomposition  and  composition  operators 
respectively.       Each     f       for     s€S-s     is  called  an  auxiliary  function  and  f^  is 

called  the  principal  function.  In  these  terms  the  program's  behavior  can  be 
described  as  follows:  Given  input  x,  a  guard  q^  which  evaluates  to  TRUE  is 
selected  nondeterministically.  Input  x  is  decomposed  by  the  decomposition 
operator  criE  into  a  tuple  of  subinputs.  This  tuple  is  then  processed  in  paral- 
lel by  the  function  product  fwl  and  the  results  composed  by  the  composition 
operator  0"iT.  In  order  for  the  algorithm  to  terminate  not  all  the  branches  of 
the  conditional  can  contain  recursive  calls.  The  nonrecursive  branches  treat 
with  those  inputs  which  can  be  solved  directly. 

If  we  view  the  guards  q^  for  i€  r_  as  characterizing  the  set  of  inputs  on 
which  the  corresponding  decomposition  operator  o"iE  is  defined,  then  the  divide 
and  conquer  algorithm  clearly  expresses  F  as  a  homomorphism  from  the  decomposi- 
tion algebra  E  to  the  composition  algebra  T. 

3.3  Correctness  of  a  Divide  and  Conquer  Algorithm 

The  main  theoretical  result  of  our  paper  is  the  following  theorem  which 
shows  how  the  correctness  of  the  whole  divide  and  conquer  algorithm  follows  from 
the  correctness  of  its  parts.  Conditions  (1)  ,  (2)  ,  and  (3)  of  Theorem  1  simply 
provide  the  form  of  a  specification  for  the  parts  of  a  5-divide  and  conquer 
algorithm.  The  most  interesting  condition  is  the  "separability"  condition  (4) . 
It  is  the  principal  link  between  the  functionality  of  the  algebras  E  and  T,  the 
auxiliary  problems  TTS/  and  the  given  principal  problem.  In  words  it  states 
that  if  input  Xg  decomposes  into  subinputs  Xi,...,x  ,  and  z-,,  .  ..,z  are  feasi- 
ble outputs  with  respect  to  these  subinputs  respectively,  and  Zi,...,z  compose 
to  form  Zq  then  Zq  is  a  feasible  solution  to  input  xQ.  Loosely  put:  feasible 
outputs  compose  to  form  feasible  outputs.  Condition  (5)  asserts  that  for  each 
legal   input  at  least  one  of  the  guards  holds. 

Theorem  _1:  Let  S  be  a  set  of  sorts  with  principal  sort  s  and  let  >  be  a  finite 
s-oriented  S-sorted  signature.  Let  E  be  a  >  -algebra,  T  be  a  >-algebra,  TT  a 
S-sorted  family  of  specifications,  F  a  S-sorted  family  of  functions  where  for 
each  s€S  fs:Es~*Ts.     Let  ^   be  a  well-founded  ordering  on  E^  and  for  each   i€r_ 

let  0iE  and  0iT  be  relations  on  ESW1  and  TSW1  respectively.     If 
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(1)      (Specification  of  o~E)   the  decomposition  operator  o"iE,      for     i=  1,  ...,r, 
satisfies  the  specification 

0"iE:Xg  =  <Xp ...,xn  >  such  that  q^:x0  A  J*:*o   =^ 
A       (J^.rXj  A    (wij  =  s   =>    xQ>.Xj))    A  OiE:<x0,xlf...,xn.> 


—i 

where  ov.:E     -»    Ewl 
E     s 

(2)  (Specification  of  o"T)    the  composition     operator    o~iT,     for     i=l,...,r, 
satisfies  the  specification 

o"iT:<z^, ...  ,z     >  =  z«  such  that  Oim:<zn,Zp  ...,z     > 

where  o"m:'Iwl    ->    T 
1  s 

(3)  (Solutions  to  Auxiliary  Problems)    for  each  s€  S-s  fs  satisfies  specifi- 
cation 

rr_:x=z  such  that  J_:x  =»   P_:<x,z> 
where  TT  s :  Es  ->  Ts. 

(4)  (Separability  of  P)    the  following  formula   is  valid  for  each   i€r_: 

V<x0,x1,...,xn.>€ESwi  V<z0,z1/...,zn.>€T§wi 

[Oi£:<x0,x1/...,xn.>     A  A  Pwi.:<Xj,Zj>       A       OiT:<z0,zlf ... ,zn>       =» 


Pg:<xQ/z0>] 

(5)      (Definition  of  the  guards)    For  all  x€  E         J    :x  =>      V  q.-  :x 

§    s      j€r_  x 

then  the  divide  and  conquer  program 

f  :x  *  if 

s 

qj_:x  -»  0"lT'fwl*«TlE:x  Q 


qr:x  ->  o*rT»fwr*o"rE:x 


fi 


satisfies  specification  TT  ^ =  <E  ,T  ,J   ,P  >. 

s    s  s  s  s 

Proof;  lb  show  that  f^  satisfies  "T^=<E  ,T  ,J   ,P  >  we  will  prove 

s  s         s     s     s     s 


-15- 


2 

by  structural  induction  on  E^. 

s 

Let  x  be  an  arbitrary  object  in  E  such  that  J^:x  holds  and  assume  (induc- 

s  s 

tively)     that  J  :y  =>   P:<y,f   :y>  holds  for  any  y€E^  such  that  x^y.     From  J^:x 
s  s  s  s 

and  condition  (5)  it  follows  that  q,:x  holds  for  some  i€r_.  By  the  semantics  of 
the     if-fi     construct     f^:x     can     evaluate     to  o*iT«fwl*o-iE:x.     We  will  show  that 

P   :<xff   :x>  by  using  the  inductive  assumption  and  modus  ponens  on  the  separabil- 
s  s 

ity     condition.     Since  q,:x  A  J„:x  holds  and  <riE  satisfies  its  specification  in 

condition  (1),   the  output  condition  of  o~E  also  holds.     Let    o"iE:x  =  <x^,...,xn>>. 

We    have  for  each  j€n_-  J  .-    :x^.     Consider  x-  for  each  j€n-.     If  wi-^s  then  by 

— 1      wi  ^      j  j  J-  j 

condition   (3) 

Jwij:xj   =5>   pwij:<xj'fwij:xj> 

and  we  infer  by  modus  ponens  P  •    :<x^,fw1-    :x^>.     If  on     the     other     hand     wi-=s 

Wl  j  J         Wl  j         J  J 

then  by  condition   (1)   we  have  xQ^x^  and  thus  by  our   inductive  assumption 

Jwij:xj   **    Pwij:<xj'fwij:xj># 

Again  we  infer  P...-    :<x  ■,£..;    :x^>  by  modus  ponens.     By  condition   (2)   we  have 

Wl  j     J        Wl  j    J 

0iT: <riT: <fwi ^:xlr . . .  'fwin:xn>/fwi ^ •  •  •  ^wi^ 

where 

aiT:<fwi1:xl'*,*'fwin:xn>  =  f^:x. 

We  have  now  established  the  antecedent  of  condition  (4)  enabling  us  to  infer 

P  :<x,  f  :x>.  QED 

s      s 

Notice  that  in  Theorem  1  the  form  of  the  subalgorithms  cric,  cri™,  and  f_  for 
s€S-s  is  not  relevant.  All  that  matters  is  that  they  satisfy  their  respective 
specifications.  In  other  words,  their  function  and  not  their  form  matters  with 
respect  to  the  correctness  of  the  whole  divide  and  conquer  algorithm. 


2 
Structural   induction  on  a  well-founded  set  <W,^»>  is  a  form  of  mathematical 

induction  described  by 

Vx€W  Vy€W[x^y  A  Q:y  =?>    Q:x]    =»    Vx€W  Q:x 

i.e.,  if  Q:x  can  be  shown  to  follow  from  the  assumption  that  Q:y  holds  for  each 
y  such  that  x^y,  then  we  can  conclude  that  Q:x  holds  for  all  x. 
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4.     The  Design  of  Divide  and  Conquer  Algorithms 

4.1  A  Problem  Reduction  Approach  to  Design 

Design  is  a  goal-directed  activity  and  this  is  the  primary  reason  for  the 
importance  of  top-down  design  methods.  One  form  of  top-down  design,  which  we 
call  problem  reduction,  may  be  described  by  a  two  phase  process  -  the  top-down 
decomposition  of  problem  specifications  and  the  bottom-up  composition  of  pro- 
grams. In  practice  these  phases  are  interleaved  but  it  helps  to  understand  them 
separately.  Initially  we  are  given  a  specification  TT .  In  the  first  phase  we 
create  an  overall  program  structure  for  TT  ,  which  fixes  certain  gross  features 
of  the  desired  program.  Some  parts  of  the  structure  are  at  first  underdeter- 
mined  but  their  functional  specifications  are  worked  out  so  that  they  can  be 
treated  as  relatively  independent  subproblems  to  be  solved  at  a  later  stage. 
Next  we  work  in  turn  on  each  of  the  subproblem  specifications,  and  so  on.  This 
process  of  creating  program  structure  and  decomposing  problem  specifications 
terminates  in  primitive  problem  specifications  which  can  be  solved  directly, 
without  reduction  to  subproblems.  The  result  is  a  tree  of  specifications  with 
the  initial  specification  at  the  root  and  primitive  problem  specifications  at 
the  leaves.  The  children  of  a  node  represent  the  subproblem  specifications 
written   (or  derived)   as  we  create  program  structure. 

The  second  phase  involves  the  bottom-up  composition  of  programs.  Initially 
each  primitive  problem  specification  is  solved  to  obtain  a  program  (which  is 
often  a  programming  language  operator) .  Subsequently  whenever  each  of  the  sub- 
problem  specifications  generated  when  working  on  specification  1 1  have  solu- 
tions,  these  subproblem  solutions  are  assembled   into  a  program  for  TT  • 

We  advocate  [13,14]  a  formal  counterpart  to  the  problem  reduction  approach 
based  on  the  use  of  program  schemes.  A  scheme  provides  a  standard  overall 
structure  for  the  desired  program  and  its  uninterpreted  operator  symbols  stand 
for  the  underdetermined  parts  of  the  structure.  To  use  a  scheme  we  require  a 
corresponding  design  strategy.  Given  a  problem  specification  TT  a  design  stra- 
tegy derives  specifications  for  subproblems  in  such  a  way  that  solutions  for  the 
subproblems  can  be  assembled  (via  the  scheme)  into  a  solution  for  TT  .  A  design 
strategy  then  is  a  way  of  generating  an  instance  of  a  scheme  which  satisfies  a 
given  specification.  Any  program  scheme  admits  a  number  of  design  strategies. 
Dershowitz  and  Manna  [4]  have  presented  some  strategies  for  designing  program 
sequences,    if-then-else  statements,  and  loops. 
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We  have  found  three  design  strategies  for  divide  and  conquer  algorithms. 
Each  attempts  to  derive  specifications  for  subalgorithms  which  satisfy  the  con- 
ditions of  Theorem  1.  If  sucessful  then  any  operators  which  satisfy  these 
derived  specifications  can  be  assembled  into  a  divide  and  conquer  algorithm 
satisfying  the  given  specification.  The  key  difficulty  is  to  ensure  that  the 
derived  specifications  satisfy  the  separability  condition,  so  each  design  stra- 
tegy concentrates  on  this  goal. 

The  first  design  strategy,  called  ESI,  can  be  described  as  follows. 

DS1)  First  choose  a  simple  decomposition  algebra  as  E  and 
choose  simple  known  functions  for  the  auxiliary  functions, 
then  use  the  separability  condition  to  reason  backwards 
towards  output  conditions  and  to  reason  forwards  towards  input 
conditions  for  the  operators   in  T. 

To  see  how  we  reason  towards  specifications  for  the  operators  in  T,  suppose  that 
we  have  selected  a  £  -algebra  E  and  chosen  simple  known  functions  fs  for 
s€s-s  and  let  the  given  problem  be  IT  =  <D,R,I,0>.  We  show  how  to  derive  output 
conditions  for  aim  for  some  i€  r_.     First  use 

0~lp!Xn=  ^^i  /•••  f  ^r> .       3^   UlplsZrt,  Z-i  ,  •  •  •  /Z_  _  s  , 

f^.rx^Zj  as  Pwi.:<Xj,Zj>  for  1<  j<nj  wij^s,  and 

0:<x,z>  as  P  :<x,z>, 

s 

and  create  the  following  formula 

V <x0,x1 , . . .  ,xn>€  E^1  V  <z0,z1, . . .  ,zn>6  T5™1 

[OiE:<x0,x1,...,xn>>     A     Pwi.:<Xj  =  Zj>   =»    P^:<xn,z0>].  (4.1) 

l     j  w_r         2  s 

This  formula  differs  from  the  separability  condition  only  in  that  the  hypothesis 
OiT:<Zg,z-j_,...,zn>  is  missing.  We  desire  to  establish  the  separability  condi- 
tion so  that  we  can  apply  Theorem  1  to  show  that  the  program  we  construct  satis- 
fies its  specification.  We  know  that  0iT  it  is  a  relation  on  the  variables 
Zq,z^,...,z     .     Our  technique   is  to   reason  backwards  from  the  consequent     always 

trying  to  reduce  it  to  relations  expressed  in  terms  of  the  variables 
Zq,z^,... ,zn. .     If  we  can  show  that  the  assumption  of  an     additional     hypothesis 

of  the  form 

Q  *  *^Zq  ,  Zi  , .  •  • ,  z^  _  > 
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allows  us  to  prove   (4.1),   i.e.,   if  we  can  show  that 

V<x0,x1,...,xn>€E§wi  V<z0,z1,...,zn>«T§wi 

[OiE:<xQ,x1,...,x     >  A     A     Pwi.:<Xj=Zj>  A  Q:<z0,z1#  .../Zn#>   =>   P^:<x0,zQ>] 

then  we  take  Q  as  the  output  condition  Oim  since  the  separability  condition  is 
satisfied  by  this  choice  of  0iT.  Formal  systems  for  performing  this  kind  of 
deduction  are  presented  in  [12,13].  We  shall  proceed  a  little  less  formally 
here,  making  use  of  our   intuition  for  guidance. 

We  can  also  use   (4.1)    to  obtain  input  conditions  for  our  composition  opera- 
tors.      The     input  condition  for  aim  is  some  relation  on  Zi,...,z       which  can  be 

expected  to  hold  when  o*im  is  invoked.  Suppose  that  by  reasoning  forwards  from 
the  relations  established  by  the  decomposition  operator  and  the  component  func- 
tions we  infer  a  relation  Q1  :<z-,  ,...,z     >,    i.e.,  that 

x  ni 

V<x0,x1,...,xn>6Eswl  V<z0,z1,...,zn>6TSwl 
[OiE:<x0,x1,...,xn<>  A     A     Pwi.:<Xj,Zj>   =>   Q' :<z1,...,zn.>] . 

Then  we  take  Q'   as  an  input  condition  to  crim. 

The  other  two  design  strategies  are  variations  on  DS1  and  use     the     separa- 
bility condition  in  an  analogous  manner. 

DS2)  First  choose  a  simple  composition  algebra  as  T, 
second, choose  simple  known  functions  for  the  auxiliary  func- 
tions, then  use  the  separability  condition  to  solve  for  the 
input  and  output  conditions  for  the  operators  in  E.  An  input 
condition  for  the  decomposition  operator  is  found  by  determin- 
ing conditions  under  which  a  feasible  output  exists. 

ES3)  First  choose  a  simple  decomposition  2  ~  -algebra  as  E  and 
choose  a  simple  composition  ^-algebra  as  T,  then  use  the 
separability  condition  to  reason  backwards  towards  output  con- 
ditions and  to  reason  forwards  towards  input  conditions  for 
the  auxiliary  functions. 

In  each  of  these  design  strategies  we  must  find  a  suitable  well-founded  ordering 
on  the  input  domain  in  order  to  ensure  program  termination.  Also,  the  guards 
are  chosen  to   reflect  the  domain  of  definition  of  the  decomposition  operators. 
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4.2  Design  of  a_  Selection  Sort  Algorithm 

Suppose  we  are  given  the  following  specification  for  sorting  a  list  of 
natural  numbers 

SORT:x=z  such  that  Bag:x=Bag:z  A  Ordered:z 
where  Sort :  LIST  (IN)     ->    LIST  (IN). 

Here  "Bag : x = Bag : z"  asserts  that  the  multiset  (bag)  of  elements  in  the  list  z  is 
the  same  as  the  multiset  of  elements  in  x.  Ordered  is  a  predicate  which  holds 
when  applied  to  a  list  whose  elements  are  in  nondecreasing  order. 

The  selection  sort  algorithm  presented  in  Figure  4  will  be  derived  using 
design  strategy  DS2.  Note  that  Ssort  makes  use  of  the  composition  algebra 
A=<{LIST(3N)  ,]N  },{Nil,Cons}>  discussed  in  Section  2.2.  In  choosing  A  as  the 
composition  algebra  it  is  not  obvious  ahead  of  time  that  a  decomposition  algebra 
can  be  found  which  works  with  A  to  solve  the  SORT  problem.  This  choice  of  alge- 
bra    should     be  regarded  as  a  tentative  hypothesis  about  how  sorted  lists  can  be 

composed.     The  sort  set  of  A  is  S=  {c,§}  where     A   =  LIST  (IN)      and     A    =  IN  .       The 

s  c 

operator    Nil     has     type  <X,s>  and  operator  Cons  has  type  <cs,s>,  Nil:A^->A  , 

s 

and  ConsrA03    -»    A  . 
s 

Naming  our  desired  program  Ssort  we  have  at  this  point, 

E    =  LIST  (IN),   T   =  LIST  (IN),   T    =  IN 
s  s  c 

J     4=>   TRUEr 
s 

P  :<x,z>  <£=>  Bag:x=Bag:z  A  Ordered:z, 
s 

01T:«>,z>  <*=>   z  =  nil, 

02rp:<z0,b,z1>  <=>   Cons:<b,z^>  =  zQ, 

f     is  Ssort. 
s 

It  remains  to  determine  input  and  output  conditions  J  and  P  for  the  auxiliary 
function  tQ,  the  domain  Ec,  and  the  output  conditions  01E  and  02E  for  the  decom- 
position operators. 

Our  first  step  towards  determining  02£  is  to  instantiate  the  separability 
condition  as  far  as  possible  thus  obtaining 

V<x0,<arx1»€LIST(IN)  X  (ECXLIST(IN))    V<z0,<b,z1»€  LIST  (IN  )  X  (IN  X  LIST  (IN  ) ) 
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Ssort:x  —    if 

x=  nil    ->    Nil«Id0-liN:x  Q 
x^nil    ->    Cons*  ( Id X  Ssort) -Select :x 
fi 

Select :x  —    if 

Rest:x=nil    -»    Composel»Id*snoC:x  Q 
Restrx^nil    -»    Compose2*  (Id X  Select)  'SnoC:x 
fi 

Composel:v  —    <v,nil> 

Compose2:<Vp<V2/Z»   =    if 

vl  — v2    ~*    <vi'Cons:<v2'z>>   0 
vl  — v2    ~*    <V2/Cons:<v-,  ,z>> 
fi 

Figure  4:     A  Selection  Sort  Program 


[02E:<xn,<a,x^»  A  Pc:<a,b>  A  Bag:x-j_  =  Bagtz-^  A  Orderedcz-^  A  Cons:<b,z1>  =  zQ 
=»    Bag:xQ  =  Bag:zQ  A  OrderedtZg]  (4.2) 

lb  construct  this  formula  we  have  made  the  following  substitutions  into  the 
separability  condition  of  Theorem  I: 

1.  replace  w2  by  cs 

2.  replace  E     and  T     by  LIST  (IN) 

s  s 

3.  replace  E03  by  ECXLIST(IN)   and  T03  by  ]NXLIST(IN) 

4.  replace  P  :<x,z>  by  Bag:x=Bag:z  A  Ordered:z 

s 

5.  replace  (TT:<b,z^>  by  Cons:<bfz^> 

Since  we  desire  to  have  the  separability  condition  hold  in  order  to  apply 
Theorem  1  we  evidently  must  try  to  find  values  for  Ec/Pc/  and  02E  which  allow  us 
to  prove   (4.2) . 
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In  order  to  determine  02E  we  attempt  to  reduce  (4.2)  to  a  formula  dependent 
on  the  variables  xQ,  a,  and  x-,  only.  The  consequent  is  the  conjunction  of  two 
atomic  formulas  so  we  can  tackle  them  separately.     Consider  first 

Bag:xQ=  Bag:ZQ.  (4.3) 

This  is  equivalent  to 

Bag:Xg  =  Bag :  Cons  :<b,z1> 
since  Cons:<b,z^>  =  zQ  is  a  hypothesis.     The  fact 

Bag •Cons :<u,y> = Add:<b,Bag:y> 
allows  us  to  reduce  the  goal  to 

Bag:xQ  =  Add:<b,Bag:z^>. 
Then  since 

Bag:x^  =  Bag:z^ 
is  a  hypothesis  we  further  reduce  to 

Bag:x0  =  Afd:<b,Bag:x^>. 
This  last  relation  is  almost  expressed   in  terms  of  variables     required     by    02E. 
Let     us     assume     a=b  and  thus  let  E    =  IN  ,  Jc:x  4=»  TRUE,  Pc:<a,b>  4=>   a  =  b,  and 
let  f     be  Id.     This  finally  reduces   (4.3)    to 

Bag:xQ=  ?dd:<a/Bag:x1>.  (4.4) 

In  other  words,   if  we  had    (4.4)  and  a  =  b  as  additional  hypotheses  then  we     could 
establish     our     original     goal    (4.3).     We  will  use   (4.4)    in  the  output  condition 


02E. 


Consider  now  the  second  goal 


Ordered  :Zq  (4.5) 

which  via  the  hypotheses  Cons:<b,z-,>  =  Zq  and  a  =  b  reduces  to 

Ordered -Cons : <a , z, > . 

The  fact 

u_<  Bag:y  A  Ordered:y  <$=»  Ordered* Cons :<u,y> 

can  be  used  to  produce  the  equivalent  goal 

a<  Bagtz-^  A  Ordered:z^. 

Now  Ordered :z-^  is  a  hypothesis  and  thus  is  assumed  to  hold.   The  remaining 
subgoal  can  be  transformed  via  the  hypothesis  Bag:x-j_  =  BagtZi  to 

a<_Bag:x^. 

We  have  reduced  (4.5)  to  a  subgoal  which  is  expressed  in  terms  of  the  variables 
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required  by  02c.     By  reasoning  backwards  we  have  shown  above  that  if 

a<Bag:x^  A  Bag:xQ  =  Add:<a,Bag:x^>  (4.6) 

holds  then  we  can  establish   (4.2).     We  take   (4.6)   as  02E. 

Before  constructing  the  specification  for  o~2E  we  construct     a     well-founded 

ordering  on  E^  =  LIST(IN) .     By  Proposition  1  we  can  construct  one  based  on  a  map- 
s 

ping  from  LIST  (IN)  to  IN.  The  known  function  Length  maps  LIST  (IN)  to  IN  so 
define 

Xq   y   x,    iff  Length :Xq  >  Length :x^. 

By  Proposition  1  <E  ,V»>  is  a  well-founded  set. 

s 

Using    (4.6)   as  02E  and  this  well-founded  ordering  on  LIST(IN)   we  create  the 

following  specification  for  cr2E  in  accord  with  condition   (1)   of  Theorem  1. 

0"2e:Xq  =  <a,x-,>  such  that  a^Bagix-^  A  3ag:x0  =  Add:<a,Bag:x0>  A 

Length :  xn>Length :  x-^ 
where  0"E:  LIST  (IN)     ->     IN  X  LIST  (IN) 

By  inspection  we  see  that  there  is  no  feasible  output  when  the  input  is  nil  so 
we  add  the  input  condition  "x^nil"  obtaining 

0"2e:Xq=  <a,x-^>  such  that  xn^nil   =»    3ag:x0  =  Add:<afBag:xQ>  A 

a£Bag:x^  A  Length:x0>Length:x^ 

where  aE:L  1ST  (IN)     -»    IN  X  LIST  (IN). 

In  [13]  we  show  how  to  derive  the  input  condition  for  decomposition  operators  by 
formal  means.  In  the  next  section  we  derive  a  divide  and  conquer  algorithm, 
called  Select,   for  this  problem. 

From  the  input  condition     of     Select     we     obtain     the     guard     x^nil.       The 
intended  algorithm  at  this  point  has  the  form: 

Ssort:x   =    if 

q1:x    -»    Nil'f^*o"lE:x  Q 
x^nil    -»    Cons*  (Id X  Ssort) 'Select :x 
fi. 

The  construction  of  a  specification  for  o"lE  is  similar.     First,  we     instan- 
tiate the  separability  condition  obtaining 

Vx0€LIST(IN)    Vz0€LIST(IN) 
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[01e:Xq  A  Nil:O  =  z0   =»    Bag:xQ =  Bag:zQ  A  Ordered:zn]  (4.7) 

In  creating  this  formula  we  have  replaced 

wl  by  X 

E     and  T     by  LIST  (IN) 
s  s 


P^  by  Bag:xQ=  Bag:zQ  A  Ordered:zn] 

<rlT  by  Nil 
and  performed  some  simplifications. 

Again  we  treat  the  two  conjuncts  of  the  goal  separately.     Since  zQ     is    nil 
then  the  goal  Ordered :zQ  holds.     The  other  goal 

Bag:zn=  Bag:xQ 


is  equivalent  to 


Xq=  nil 


since  ZQ  =  nil.  We  use  "Xg  =  nilB  as  the  output  condition  of  01E  and  create  the 
specification 

c\Le:Xq=z  such  that  xQ  =  nil 
where  o*lE:LIST (IN)  -»  {<>}. 

The  function  liN  satisfies  this  specification. 

Putting  together  all  of  the  operators  derived  above,  we  obtain  the  follow- 
ing selection  sort  program: 

Ssortrx  s  if 

x=  nil    ->    Nil«Id0-liN:x  Q 
x^nil    ->    Gons*  (IdX  Ssort) 'Selectrx 
fi 

which  can  be  simplified  to 

Ssort:x  —    if 

x=  nil   ->    x  0 

x^nil    -»    Cons* ( Id XSsort) -Select :x 
fi 

4.3  Synthesis  of  Select 

In  the  previous  section  we  derived  the  specification 
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Select :Xq  =  <a,x^>  such  that  Xg^nil   ==»    Bag:Xg  =  Add:<a,Bag:x^>  A 

a£Bag:x-^  A  LengthrXg  >  Length:x-^. 

where  Select  :LIST(]N)    -»    ]NXLIST(3N) 

Ihe  synthesis  of  Select  proceeds  according  to  the  design  strategy  D62.  First r 
we  choose  a  simple  decomposition  algebra  for  the  input  domain  -  the  set  of  non- 
nil  lists  of  natural  numbers.  The  algebra  A=  <{IN  ,LIST(IN) } ,  {tsiL,snoC}>  is 
satisfactory  since  all  non-nil  lists  can  be  decomposed  into  non-nil  lists  and 
natural  numbers  by  tsiL  and  snoC.  The  sort  set  is  S=  [c ,§} ,  tsiL  has  type 
<s,c>,  and  snoC  has  type  <s,cs>.  We  have 
EC=1N, 

E    =  LIST(]N),   T   =  INXLIST(IN)  , 
s  s 

J^:xQ  <=>  x0^nil, 

P^:<Xg,<a,Xi»  <=$   Bag:Xg  =  Add:<a,Bag:Xi>  A     a<_Bag:x^     A     Length  :Xg>Length:x, 

o"lE  is  tsiL,  and  o"2E  is  snoC. 

tsiL  is  defined  when  Rest:x=nil  so  this  condition  is  used  as  q^.  snoC  will 
decompose  a  non-nil  list  x  into  a  number  and  a  non-nil  list  when  Rest:x^nil,  so 
we  take  this  condition  as  q2»     Our   intended  algorithm  now  has  the  form 


Select :Xq   —    if 


Rest:xg=nil    -»    o*lT»fc»tsiL:Xg  Q 
Rest:xg^nil    ->    o"2T»  (fcX  Select)  *snoC:Xg 


fi 


It  remains  to  determine  the  output  domain  T  ,   the   input  and  output  conditions  Jc 
and  Pc  for  the  auxiliary  function  f  ,  and  the  composition  operators  o"lm  and  0*2^. 

E^=LIST(]N)    is  made  a  well-founded  set  exactly  as  in  the  previous     example 
s 

by    defining     Xg^x^     iff  Length:xQ  >  Length:xj_.     snoC  and  tsiL  clearly  preserve 
this  ordering. 

In  pursuit  of  an  output  condition  for  aZp  (a  relation  dependent  on  the 
variables  aQ,  Zg,  v,  a-^,  and  z^) ,  we  first  instantiate  the  separability  condi- 
tion with  the  result 

V«a0,Zg>/<vf<a1/z1>»6]NXLIST(IN))X  (TCX  (IN  X  LIST  (IN  ) ) ) 
V<Xg/<u,x1»€LIST(IN)  X  (IN  X  LIST  (IN)) 

[snoC:Xg=  <u,Xj,>  A  Bag:x^  =  Add:<a^,Bag:z^>  A  a-,£Bag:z-,   A 
Length.-Xj  >  Lengthy  A  Pc:<ufv>  A  02T:«aQ,zn>,<v,<a1,z1>» 
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=»    Bag:x0  =  Add:<an,z0>  A  an£Bag:zn>  A  Length:xQ  >  Length:Zg].  (4.8) 

lb  create  this  formula  the  following  substitutions  were  made 

cs   replaces  w2 

LIST(BI)   replaces  E     and  ]N  X  LIST(]N)   replaces  T 

s  s 

IN    replaces  Ec 

snoC:xn=  <u,x^>  replaces  o"2e:<Xq,X2,X2> 

Bag:x^  =  Add:<alfBag:z^>  A  a^<&aqiz±  A  Lengthtx-^  >  Lengthy 
replaces  P^:<x^,<a^,z^» 

Again  we  consider  the  goals  in   (4.8)  one  at  a  time.     The  goal 

a0£Bag:Zg 
is  already  expressed   in  the  form  we  desire,  so  we  can  use   it  in    0*2^.       Consider 
the  goal 

Bag:Xg  =  Add:<an,zn>. 

We  have 

Bag:Xg  =  Bag -Cons  :<u,x^>      (by  hypothesis) 
=  Add:<u,Bag:x^> 

=  Add:<u,Add:<a-^,z^»      (by  hypothesis) 

Suppose  that  we  let  u  =  v  and  thus  let  T   =  IN,  P   :<u,v>4=>>u  =  v,  and  f     be  Id.     We 
have 

Add:<v,Add:<a-,  ,z-,»  =  Add:<a0/z0>. 

This  condition  is  expressed   in  the  desired     variables     so     we     use     it     in    02p. 
Finally,  consider  the  goal 

Length:xn  >  Length:z0.  (4.9) 

In  the  following  derivation  we  use  Card:x   to  denote  the  cardinality  of     the     bag 
x.     We  then  have 


Length:xQ  =  Length'Cons: :<urx1> 
=  1  +  Length :x^ 

=  1  +  Card -Add: <a1,Bag:z1> 

=  2  4-  Card-Bag: z, 
=  2  +  Lengthrz, . 


(using  hypothesis 
Bag:x^=Add:<a^,Bag:z^>) 
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Thus  we  have  reduced    (4.9)   to 

2  +  Length: Zi    >  Length :Zg. 

Putting  all  these  conditions  together  we  obtain 

Add:<v,Add:<a1/Bag:z1»=  Add:<ag,Bag:Zg>  A 
ag£Bag:z0  A  2  + Length  :z^>Length:Zg 

and  use  it  as  OZp.     We  derive  an  input  condition  by  reasoning  forwards  from 

snoC:x0  =  <u,x^>     A     Bagtx^  =  Add:<a^,Bag:z^>     A     a^£Bag:z^     A       Length:x-^ 
Length  :z-|_  A  u  =  v 


> 


towards  a  relation  expressed   in  terms  if  the  variables  v,   a^,  and  Zi.     The     only 
useful   inference  seems  to  be 

a^_  <_Bag:z-, 

so  we  take  this  as  the  input  condition  and  form  the  specification 

c^2T:<v,<a^/Zi»=  <aQ,ZQ>  such  that  ai<Bag:Zi    =3>    ag£Bag:Zg  A 

Add:<v,  Add:<a1/Bag:z^»  =  Add:<aQ/Bag:zQ>  A  2  +  Length:z1  >  Length:Zg 

where  cr2T:IN  X  (IN  X  LIST  (IN))    -»    IN  X  LIST  (IN) 

A  conditional  program,  call   it  Compose2,     can     be     constructed     satisfying     this 
specification. 

Compose2:<v,  <a,  ,z,»   —    if 

v£a^    ->    <v,Cons:<a^,Zj»0 
v>_a-,    -*    <a-,  ,Cons:<v/Zi» 

fi 

We  construct  OLp  in  a  similar  manner.     The  separability  condition     is     par- 
tially instantiated  yielding 

V«a0/z0>/v>«IN  XLIST(IN))  X  IN   V<xQ/u>€  LIST(IN )  X  IN 

[tsiL:xQ=  u  A  u  =  v 

=»    3ag:xg  =  Add:<ag,3ag:zg>  A  ag£Bag:Zg>  A  Length : xQ >Length : zQ ] .  (4.9) 

Dealing  first  with  the  goal 

Bag:Xg  =  Add:<ag/Bag:Zg> 

we  have 

Bag:x0  =   {u}   =   {v} 
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thus 

{v}  =  Add:<a0,Bag:z0> 

or  equivalently 

aQ  =  v  A  zQ=  nil. 

Again  the  second  goal  a0£Bag:Zg  is  already  reduced  to  the  desired     form.       Con- 
sider now  the  final  goal 

Length : xQ>Length : zQ . 

We  have  Length  :Xq  =  1  thus  the  goal  must  reduce  to 

Length :z«  =  0 

or  equivalently,   ZQ  =  nil. 

Putting  together  all  these  conditions  we  obtain 

OLj,:<Zq,v>  «=»   z0=nil  A  aQ  =  v 

and  create  the  specification 

o"lT:v=  <a,z>  such  that  z=nil  A  a  =  v. 
where  0"1T:LIST  (IN)     ->    IN  X  LISTEN). 

The  function  Composel  is  easily  shown  to  satisfy  this  specification: 

Composel:v  =  <v,nil>. 

The  functions  derived  above  are  assembled   into  the  following  program: 

Select :Xq   m    if 

Rest:x0  =  nil    -»    Cbmposel»Id<>'tsiL:xg  0 
Rest:xQ^nil    -»    Compose2*  (Id X  Select)  •snoC:Xg 
fi 

The  complete  selection  sort  program  derived   in  this  section  is  listed   in     Figure 

4.  It  can  be  transformed  into  the  simpler  program  listed   in  Figure  1. 

5.  More  Examples 

5.1.  Cartesian  Product  of  Two  Sets 

In  this  section  we  illustrate  the  design  of  a  divide  and  conquer  algorithm 
using  design  strategy  DS3.  The  problem  of  forming  the  cartesian  product  of  two 
sets  can  be  specified  by 
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CARr_PROD:<x,x*>=  z  such  that  z=  {<a,b>|a€x  and  b€x'} 
where  CARTJPROD:  SET  (IN  )  X  SET  (IN  )  -»  SET  (3N  X  3N ) . 

Here  SET(R)   denotes  the  data  type  of  finite  sets  whose  elements     belong     to     the 
data  type  R. 

First,  we  choose  a  decomposition  algebra  on  SET  (IN  )  X  SET  (IN )  and  then  a 
canposition  algebra  on  SET(INXIN).  A  simple  decomposition  algebra  on  sets  is 
easily  found: 

A1  =  <{SET(!N)  ,1N},  {Split ,ihP}> 


where 


Al    =SET(IN) 
s 


A1C=IN 


CTl A1=  ihP:SET(R)  -»  {<>}  (type  <X,s» 

0-2Al=  Split: SET (R) -»  RX  SET (R)         (  type  <c§,s>)  . 

ihP  decomposes  the  empty  set  into  the  O-tuple  O  and  Split  decomposes  a  nonempty 
set  into  an  element  and  the  remainder  of  the  set.  ihP  is  defined  only  on  the 
empty  set  and  Split  is  defined  only  on  nonempty  sets  so  together  these  operators 
decompose  every  finite  set. 

However,  our  input  domain  is  2-tuples  of  sets.  We  shall  apply  the  above 
decomposition  operators  to  the  first  component  of  the  tuple  and  leave  the  second 
unchanged.     The  result   is  the  2  ~    -decomposition  algebra 

A2  =  <{IN  X  SET  (IN)  ,SET(IN)  X  SET  (IN  ) } ,  {ihP-1 ,  Trans*  (Split  X  Id2)  }>. 

where 

A2    =  SET  (IN)  X  SET  (IN), 
s 

A2C=IN  XSET(IN), 

0"1E=  ihP-l:SET(IN)  XSET(IN)  -*  {<>}      (type  <X,s»  , 

0-2s  =  Trans*  (Split  Xld2)  :SET(IN)  X  SET  (IN)  ->  (IN  X  SET  (IN  ) )  X  (SET  (IN)  X  SET  (IN)) 

(type  <cs,s»  . 

0"2E  makes  use  of  two  new  functions.  The  function  Id2  returns  a  2-tuple  contain- 
ing copies  of  its  input,  i.e.,  Id2:x=  <x,x>.  The  function  Trans  transposes  a 
tuple  of  tuples  as  follows 
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Trans  :<xlf...,xn>    "<yir-»«*ym> 

where  xi  =  <xip"wX^m>  and  y-  =  <x^^  -,...,x->  for  l<.i£n  and  l£j£m.  Fbr 
example , 

Trans:«l,2,3>,<4,5,6>>=  «1,4>,<2,5>,<3,6». 

<t2a2  behaves  as  follows  on  input  <{1,2, 3},  {4,5}>: 

Trans-(SplitX  Id2)  :<{1,2, 3},  {4,5}>  =  Trans  :«1,  {2,3}>,  <{4,5},  {4,5}» 

=  «1,{4,5}>,   <{2,3},{4,5}». 

Before  choosing  a  composition  algebra  for  T  we  must     decide     what     can     the 

auxiliary     output     type  Tc  be  given  that  Ec  is  IN  XSET(IN).     Since  Ec  appears  to 

be  a  slightly  modified  form  of  E     ( =  SET(IN)  X  SET(IN )    )   we  might  conjecture  that 

s 

the    auxiliary     function  f     is  similar  to  the  principal   function  f    and  thus  use 

c  s 

SET(INXIN)  as  Tc.  The  composition  operator  crZp  then  is  some  mapping  from 
SET  (IN  X  IN  )  X  SET  (IN  X  IN  )  to  SET(INXIN)  -  we  can  use  the  set-union  operator 
Union.  o~lT  is  some  mapping  from  {<>}  to  SET(INXIN)  -  we  can  use  the  function 
Phi,  which  maps  the  0-tuple  into  the  empty  set. 

So  far  we  have  developed  the  program  structure 

CP:<x,x'>   a    if 

x=  {}  ->    Phi*Id<>»ihP*l:<xrxl>   0 

x?M}  -»    Union- (f  c  X  CP) -Trans -(Split  Xld2))  :<x,x'>   Q 
fi. 

In  order  to  determine  a  specification  for  f  we  create  the  following  instance  of 
the  separability  condition 

V«x0/x»0>/<a/x,1>,<x2,X,2»€  (SET  (IN)  X  SET  (IN))  X  (IN  X  SET  (IN  ) )  X  (SET  (IN)  X  SET  (IN)) 

V<z0,z1,z2>€SET(3NXlN)  XSET(INXlN)  XSET(IN  X  IN  ) 

[Split:xQ=  <afx2>  A  x'1  =  x,0  A  x'2=x,0  A  Pc:«a,x' 1>rz1>  A 

z2=  {<u,v>|u€x2  and  v€x'2}  A 

Zg  =  Union:  <zlfz2>   =>    zQ=  {<u,v>|u€  xQ  and  v€x'q}   ].  (5.1) 

Since  we  are  trying  to  reason  backwards  to  an  expression  for  P  :«a,x'i>,z,>  we 
seek  to  reduce  the  goal  to  a  relation  over  the  variables  a,  x' ±,  and  z-^.  Con- 
sider the  goal 

Zg  =  {<u,v>|u€xq  and  v€x'q}.  (5.2) 

The  set  expression  on  the  right  hand  side  can  be  transformed  as  follows. 
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{<u,v>|u€xq  and  v€x'q}  =   {<u,v>|u€ Add:<a,x2>  and  v€x'q} 

(since  Split :x=  <a,y>) 

=  {<u,v>i(u  =  a  or  u€x2)  and  v€x'q} 

=  Union:<{<u,v>|u  =  a  and  v€x'q},   {<u,v>|u€x2  and  v€x'q}> 

=  Union:  <{<u,v>|u  =  a  and  vCx'^},    {<ufv>|u€x2  and  v€x'2}> 
(since  x'1  =  x,0  and  x,2  =  x'g) 

=  Union:<{<u,v>|u=  a  and  v€x'^},z2>. 

(since  Zq  =  {<u,v>|u€xn  and  v6x'q}). 

Using  the  hypothesis  z« = Union: <z,,z2>  we  reduce  (5.2)    to 

Union:<Zi,z2>  =Union:<{<u,v>|u=  a  and  v€x',},z2> 

which  holds  if 

Zis  {<u,v>|u=a  and  v€x'n}  (5.3) 

holds.  So  if  we  take  (5.3)  as  an  additional  hypothesis  then  (5.1)  holds.  We 
take   (5.3)   as  our  output  condition  for  f     and  create  the  specification 

CP_aux:<a,x>=  z  such  that  z=  {<u,v>|u=a  and  v€  x} 
CP_aux  :IN  X  SET  (IN  )  -*  SET  (IN  )  X  SET  (IN  )  . 

A  divide  and  conquer  algorithm  for  this  problem  can  easily  be  constructed  using 
design  strategy  ESI  (along  the  same  lines  as  Ssort) .  The  complete  algorithm  for 
producing  the  cartesian  product  of  two  sets  is  listed  in  Figure  5.  The  reader 
can  easily  find  several  ways  to  simplify  CP  and  CP_aux  without  affecting  their 
correctness. 

5.2  Evaluating  a_  Proposition 

In  this  section  we  present  a  divide  and  conquer  algorithm  for  evaluating  a 
proposition.  It  provides  an  example  of  a  more  complex  signature  and  illustrates 
a  programming  style  suggested  by  our  treatment  of  divide  and  conquer  algorithms. 
Given  a  well-formed  proposition  F  and  an  interpretation  I  the  problem  is  to  com- 
pute the  truth  value  of  F  under  I.  Relevant  portions  of  the  abstract  data  types 
for  propositions,    interpretations,  and  truth  values  are  presented  below. 

A  data  type  PROP  representing  well-formed  propositions  can  be  described 
abstractly  as  follows.  Let  LETTERS  be  a  set  of  symbols  called  letters.  PRCP  is 
generated   from  LETTERS  using  the  constructors 
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CP:<x,x'>  ■    if 

x=  {}    -»    Phi-Id<>«ihP-l:<xfx,>   0 

x?  {}   ->    Union •  (CP  auxXCP)  -Trans •  (Split X  Id2)  :<x,x'>   Q 

fi.  — 

CP_aux:<a/x>  s    if 

x=  {}    ->    Phi«Id<>-ihP«2:<a,x>   Q 

x^{}    -»    Add-(IdXCP  aux) -Trans »(Id2X  Split)  :<a,x>   Q 

fi.  — 

Figure  5.   Forming  the  Cartesian  Product  of  Two  Sets. 


Compose_atom: LETTER -»  PROP,  which  converts  a  letter  into  an  atomic  proposition, 

Compose_neg:PROP-»  PROP,  which  forms  the  negation  of  a  proposition, 

Compose_conj  : PROP  X  PROP ->  PROP ,  which  forms  the  conjunction  of  two  propositions, 

Compose_disj : PROP X  PROP ->  PROP,  which  forms  the  disjunction  of  two  propositions. 

In  other  words  we  have 

< {PROP, LETTERS } ,    { Compos e_a torn,   Compose_neg,   Compose_conj,   Compose_disj}> 

as  a  composition  algebra  for  PROP.     Each     of     these     constructors     are     uniquely 
invertible  and  we  have  the  corresponding  decomposition  algebra 

<{ PROP, LETTERS},    {Decompose_atom,  Decompose_neg ,  Decompose_conj ,   Decompose_disj}> 

where 

Decompose_a torn: PROP  -»  LETTER,  which  decomposes  an  atomic     proposition     into     its 
constituent  letter, 

Decompose_neg : PROP  ->  PROP,  which  decomposes  a  negation  into   its  constituent  pro- 
position, 

Decompose_conj : PROP -^  PROP  X  PROP ,  which  decomposes  a  conjunction  into     its     con- 
stituent propositions,  and 

Decompose_disj : PROP  ->  PROP  X  PROP,  which  decomposes  a  disjunction   into     its     con- 
stituent propositions. 
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These  decomposition  operators  are  defined  when  the  predicates  Atom,  Neg,  Conj, 
Disj  are  true  respectively.  For  example,  Atom:F  holds  exactly  when 
Decompose_atom:F=  oc  for  some  oc€  LETTER.  We  also  have  F=  Compose_a  torn  roc. 
Similarly,  Conj:F  holds  iff  Decompose_con j  : F  =  <G , H>  for  some  G,H€PROP  and  thus 
F=  Compose_conj:<G,H>.  More  formally  the  following  axioms  hold  for  all 
oc€  LETTER  and  F,G«PROP 

Decompose_a  torn  •  Compose_a  torn :  oc  =  oc 

Decompose_neg  •Compose_neg :  F  =  F 

Decompose_conj  •Gompose_conj  :  <F,G>  =  <F,G> 

Decompose_disj#Compose_disj:<F,G>  =  <F,G> 

Atom  •Compose_a  torn  :oc  =  TRUE 

Neg  •Compose_neg :  F  =  TRUE 

Conj •Compose_conj : <F,G>  =  TRUE 

Disj'Compose_disj:<F,G>  =  TRUE 

The  input  for  our  proposition  evaluater  also  includes  an  interpretation 
I  €  INTERPRETATION  which  associates  boolean  values  with  each  letter.  We  use  the 
operator  Assoc : LETTER X  INTERPRETATION ->  B  to  determine  the  value  of  a  given 
letter  under  an  interpretation. 

The  output  domain  for  our  proposition  evaluater  is  B ,  which  has  the  compo- 
sition algebra 

<{B},{Id,Not,And,Or}>, 

where 

Id:B-»B      (the   identity  operator) , 

Not:B  -»  B        (the  usual  negation  operator)  , 

And:B  X  B  -»  B        (the  usual   logical  and  operator)  , 

Or:B  X  B  ->  B        (the  usual   logical  or  operator)  . 

A  divide  and  conquer  algorithm,  called  Prop_eval,  for  evaluating  a  proposi- 
tion is  listed  in  Figure  6.  Here  is  an  example  computation  of  Prop_eval:  Let  F 
denote  the  representation  of  the  proposition   (A  A  B)   V  -A  and  F^     and     F2     the 
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Prop_eval : <F, I>  = 
if 

AtomtF  -»  Id • Assoc • (Decompose_a torn X  Id) :<F,I>   0 

Neg:F  ->  Not-Prop_eval-  (Decompose_negX  Id)  :<F,I>   Q 

Conj :F  ->  And* (Prop_eval X  Prop_eval) -Trans- (Decompose_conj  X  Id2) :<F,I>   Q 

DisjrF  ->  Or   • (Prop_eval X  Prop_eval) -Trans- (Decompose_disjX  Id2) :<F,I>  0 
fi 

Figure  6.  A  Proposition  Evaluator 


propositions  A  A  B  and  -A  respectively  thus  F=  Gompose_Disj:<F-^  F2>.  Let  I  be 
an  interpretation  under  which  letters  A  and  B  have  the  values  TRUE  and  FALSE 
respectively. 

Prop_eval : <F, I>  =  Or •  (Prop_eval X  Prop_eval ) -Trans • (Decompose_dis j X  Id2) : <F, I> 

(since  DisjrF  holds) 

=  Or-  (Prop_evalX  Prop_eval)  -Trans :«F1/F2>r<IrI>> 
=  Cr-  (Prop_evalXProp_eval)  :«Fp  I>, <F2,I>> 

=  Or:<FALSE,FALSE> 

=  FALSE 

where  Prop_eval : <Fj_ , I>  and  Prop_eval:<F2,I>  both  evaluate  to  FALSE  in  a  similar 
manner. 

6.     Concluding  Remarks 

We  have  presented  a  class  of  program  schemes  which  provide  a  normal-form 
for  expressing  the  structure  of  divide  and  conquer  algorithms.  Based  on  these 
schemes  we  have  given  a  theorem  relating  the  correctness  of  a  divide  and  conquer 
algorithm  to  the  correctness  of  its  parts.  The  theorem  gives  rise  to  several 
strategies  for  designing  divide  and  conquer  algorithms  and  we  used  these  stra- 
tegies to  derive  several  algorithms. 

By  using  syntactic  program  schemes  to  express  the  structure  of  a  diverse 
class  of  algorithms  we  have  the  disadvantage  that  some  instances  will  not  be  in 
their  most  desireable  form.     However  this  approach   to     representing     programming 
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knowledge  has  a  number  of  important  advantages.  1)  Schemes  express  the  essen- 
tial structure  of  algorithms  in  the  class  in  a  clear  and  precise  way.  2)  Gen- 
eric proofs  of  correctness,  as  provided  here  by  Theorem  1,  can  be  given.  The 
correctness  of  a  divide  and  conquer  algorithm  is  reduced  to  the  simpler  task  of 
establishing  the  conditions  of  Theorem  1.  3)  By  providing  the  essential  struc- 
ture of  algorithms  in  a  class  schemes  may  suggest  uniform  approachs  to  designing 
them. 

The  design  strategies  we  have  presented  involve  choices  which  may  be  weakly 
motivated  and  we  may  need  to  try  several  alternatives  before  we  find  one  which 
works.  The  resulting  design  process  can  be  represented  by  a  tree  of  derivation 
paths,  some  of  which  lead  to  useful  algorithms,  some  of  which  are  dead  ends. 
Aside  from  this  control  problem  the  design  strategies  can  be  formalized  for  use 
in  automatic  program  synthesizers.  However  at  present  it  is  not  clear  whether 
an  adequate  collection  of  heuristics  can  be  found  to  guide  an  automated  design 
process  through  the  design  space  without  human  insight. 

The  top-down  style  of  programming  suggested  by  our  design  strategies  can  be 
summarized  as  follows.  First  we  require  a  clear  understanding  of  the  problem  to 
be  solved,  expressed  formally  by  specifications.  If  a  divide  and  conquer  solu- 
tion seems  both  possible  and  desireable  we  begin  to  explore  the  input  and/or 
output  domains  looking  for  simple  decomposition  and  composition  algebras  respec- 
tively. Depending  on  our  choice  we  follow  one  of  the  design  strategies  dis- 
cussed above.  Using  our  intuition  and/or  proceeding  formally  using  the  separa- 
bility condition  we  derive  specifications  for  the  unknown  operators  in  our  pro- 
gram. These  specifications  are  then  satisfied  either  by  target  language  opera- 
tors or  by  (recursively)  designing  algorithms  for  them.  Once  a  correct  but  pos- 
sibly over-structured  or  inefficient  algorithm  has  been  constructed  we  subject 
it  to  equivalence-preserving  transformations  resulting  in  a  more  satisfactory 
desian. 
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